On Feb 19, 2007 at 2038 +0100, Franck Joncourt appeared and said: > René Pfeiffer wrote: > > I am aware that there are several rule editors out there (such as > > FWbuilder). I am more interested in a low-level approach having simple > > rules that can be parsed easily and possibly distributed among multiple > > firewall systems. > > I do not think there is another way to work at low level without writing > rules by yourself. The more you write, the more you understand. Well, yes, but maybe my mail wasn't written well enough. I agree that people who really want to learn the capabilities and the internals of Netfilter should do that by writing scripts. My question was directed at another scenario - time for an example. I am sysadmin for a couple of Netfilter firewalls that run smoothly for many years now. Most setups are fairly static or only changed by sysadmins who know what they are doing. Some firewalls protect a NATed DMZ with development servers running on a Xen host. The developers frequently start new servers with new services (mostly HTTP and HTTPS) on a virtualised server with a static IP. They need this server for a couple of weeks or months, then they deactivated it. Maybe they wish to reactivate it after a period of time just to run some additional tests. Now the rule you need for this setup are NAT/NAPT translation rules and, of course, filter rules. The Netfilter machine in question handles this by virtue of a Bash script that contains a couple of functions. The problem is that the developers wish to tell the firewall which IP and port to translate and to allow access to by using a minimal set of parameters. They don't care for NAT, NAPT, marking packets or policy routing. They simply wish to switch on a service and switch it off again. (IMHO this is not the "right" approach to firewalling, but this is another story.) So that's the reason I why I asked before writing yet another rule language and yet another parser. > This is not my job, and I am far from being an expert, but I should > say, distibuted rules among multiple systems, is not that simple ; it > depends on your needs. Can a script for a router be useful for a > server ? It can be complicated to get a script working on both > systems. Yes, the distribution of rules was another use I had in mind, mainly as a means to copy a working configuration to another firewall machine in case of deceased hardware. I don't intend to magically "autoparse" rules between machines that have completely different roles. ;) Best regards, René. -- )\._.,--....,'``. Let GNU/Linux work for you while you take a nap. /, _.. \ _\ (`._ ,. R. Pfeiffer <lynx at luchs.at> + http://web.luchs.at/ `._.-(,_..'--(,_..'`-.;.' - System administration + Consulting + Teaching - Got mail delivery problems? http://web.luchs.at/information/blockedmail.php
Attachment:
pgpXmZhwcANwe.pgp
Description: PGP signature
